Category Legal Affairs

Petya or NotPetya – under POPI you must report

04 July 2017 Norton Rose Fulbright

Barely recovering from the WannaCry ransomware attack, many across the globe now have to deal with the latest ransomware attack, NotPetya. Originally thought of to be the Petya ransomware for making money, security analysts quickly realised that the current cyber-attack was not designed to make money. It appears that NotPetya has actually just been designed to cause maximum damage, while disguising itself as ransomware.

You know you’ve been affected by NotPetya if you receive a message that your files have been encrypted with a demand to pay US$300 in Bitcoin. Unlike with WannaCry there is no ‘kill-switch’ with NotPetya. A ‘kill-switch’ enables tech-wizards to infiltrate the malware and stop it from encrypting data or causing damage.

The NotPetya ransomware has affected large organisations all over Europe and the US, with the Ukraine to have been hardest hit by it. See this timeline for some high-profile attacks and how NotPetya has unravelled.

In South Africa, there is currently no legal obligation on companies to notify anyone, either a local authority or customers of the company. Barring any confidentiality or similar contractual obligation that companies may have to customers, companies do not have to publicise their breach. However, once the Protection of Personal Information Act 2013 (POPI) commences there will be an obligation on organisations to report data breaches to the information regulator and customers; and once the Cybercrimes and Cybersecurity Bill is enacted there will be new offences created that will make cyber-attacks and breaches illegal in South Africa.

South African companies with affiliates or headquarters in other jurisdictions may currently have notification obligations in terms of those foreign laws, so bear this in mind if you have been affected by NotPetya and have operations overseas.

Companies may also notify people potentially affected by a data breach as a policy decision or good practice, although proper legal and public relations advice should be taken before doing so.

By Kerri Crawford (SA) and Rakhee Bhikha   
First published by: Financial Institutions Legal Snapshot

Quick Polls


What is your one-liner for the 2024 National Budget speech?


Creepy failure to adjust income tax, medical tax credits
Overall happy, it should support economic growth
Overall unhappy, soaring public sector wages and broken SOEs suck..
There are too few taxpayers, too many grant recipients.
fanews magazine
FAnews February 2024 Get the latest issue of FAnews

This month's headlines

On the insurance industry’s radar in 2024
Insurers, risk managers unsure of AI’s judgement credentials
Is offshore the place to be in 2024?
Gap claims: erosion of medical benefits, soaring specialist fees
Investments and retirement… is conventional wisdom under threat?
Subscribe now